lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44DC79BC.17906.19812396@stuart.cyberdelix.net>
Date: Fri, 11 Aug 2006 12:36:12 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: (Fwd) CWD--Save the Nation; Eat a hacker

[flashback - not much has changed - FUD has a new face, but his modus 
operandi remains the same. See also: http://en.wikipedia.org/wiki/FUD 
 - Stu]

------- Forwarded message follows -------
From:           	"Meeks, Brock" <Brock.Meeks@...BC.COM>
To:             	"'cwd@...lon.mit.edu'" <cwd@...lon.mit.edu>
Subject:        	CWD--Save the Nation; Eat a hacker
Date sent:      	Fri, 24 Sep 1999 11:25:39 -0700

CyberWire Dispatch // Copyright © 1999 // September 24, 1999

Jacking in from the "Snake in the Grass" Port:

Save the Nation; Eat a Hacker
By George Smith
CWD special correspondent

Richard Clarke, President Clinton's baleful counter-terrorism 
guru on the National Security Council, has a plan to save us from 
computerized terrorists. Actually, he appears to have lots of 
plans but we're only going to talk about one today. And while 
it's not particularly original, it's a real viper.

To save the nation from "electronic Pearl Harbor" -- you
know, that nebulous electronic doom that's supposed to be
creeping toward us from out of the gibbering dark of the 
Internet -- Clarke democratically "suggested" recently that 
the U.S. government could change laws that are impediments to 
information assurance and security. 

And these impediment laws would be? 

Why, just the Freedom of Information Act, as well as antitrust 
regulations and liability law. 

Clarke was speaking for an extended interview published in the
August edition of Signal magazine, a quasi-military trade 
publication whose editors get hard-ons over Pentagon electronic
technology and anything that would aid in the smiting of the
Department of Defense's alleged manifold computer enemies. Signal 
is best known for an utterly weird April 1998 howler on an 
alleged piece of attack software, called "Blitzkrieg," which was, 
the magazine seriously told a readership of easily-gulled Pentagon
contractors, "more dangerous than nuclear weapons."

In one form or another the venomous idea to tamper with FOIA
has been bandied around in documents and studies on information 
warfare since at least 1996, well before the appearance of 
Clarke on the cyberscene. It is generally coupled to the linking of 
the military and law enforcement to select industry "groups." The 
intelligence agencies, Department of Defense and law enforcement 
would then share classified or supposedly sensitive materials with 
these ill-defined industrial groups so they could pool resources 
to quickly thwart potential "electronic Pearl Harbors."

The head of the Federation of American Scientists' Secrecy and
Government Project, Steven Aftergood, explained the rationale,
or rather the lack of it, behind screwing with the FOIA.

"Modifying FOIA is the first thing everyone thinks of," said 
Aftergood. "It's the one thing everyone can agree upon."

Whenever someone in the government or military writes something
on "electronic Pearl Harbor," they have to come up with a set 
of recommendations, added Aftergood.  The no-brainer is to rip up 
FOIA, one of the final ramparts used by citizens, as well as 
journalists, in the preservation of open government.

The belief driving this, said Aftergood, is that, (1), industry 
won't share any information on computer security problems with 
government if it isn't shielded from FOIA because of the 
potential for misuse by competitors, and, (2); "It's already 
too easy to obtain information through FOIA . . . which is 
ridiculous." 

How ridiculous?

Rob Rosenberger, a well-known independent computer
security analyst and one of the U.S. military's first information
warriors, recently tried to use FOIA to dig up some simple 
information about how the Air Force reacted to the Melissa 
virus.

The Department of Defense has a rating system known as INFOCON.
It tries, emphasis on the word tries, to emulate the old DEFCON 
system in that it is a way the military rates a threat and its 
posture regarding the threat. 

The conditions range from NORMAL, notes Rosenberger, which 
means "no significant activity ("a theoretical optimum," he 
notes dryly on his website, "[that] we cannot achieve if 
we accept 14-yr-old hackers as a national security threat") to 
ALPHA, an "increased risk of attack," -- all the way up 
to  DELTA, signifying a "general attack. " 

INFOCON DELTA computer incidents would "undermine [DoD's] 
ability to function effectively [and would create a] 
significant risk of mission failure," Rosenberger explains 
on his website.

"INFOCON DELTA means the military treats the Internet as a
battlefield, complete with damaged PCs and smoldering 
mousepads," added Rosenberger. 

Rosenberger's FOIA request was simple. He asked a number of Air 
Force agencies what their INFOCON status was from March 15 to 
April 15, a window that covered the incidence of the Melissa 
virus.

U.S. Air Force HQ in Europe was the only agency that answered
with its status -- INFOCON ALPHA.

The HQ Air Intelligence Agency "refused to disclose their 
INFOCON status" on the grounds that "Unauthorized disclosure of 
such information could reasonably be expected to cause serious 
damage to national security. The document is currently 
classified."

The presidential support unit, the 89th Comm Squadron, "passed 
the buck to HQ Air Mobility Command . . . [which] passed the 
buck to U.S. Transportation Command . . . which refused to 
disclose such sensitive data, "the release of which would allow 
circumvention and substantially hinder the effective performance 
of a significant function.'"                

The Air Force Office of Special Investigations didn't respond 
due to a backlog of FOIA requests, noted Rosenberger.

This circle jerk of buck passing makes a mockery of the FOIA acronym: 

"freedom of information Act."  

And this is _before_ Richard Clarke protects us from 
"electronic Pearl Harbor."

"Electronic Pearl Harbor," or EPH, in case you missed it, is a 
descriptor that's been popularized by Alvin Toffler-types, ex-Cold 
War generals, think tank scholars, national security mandarins, 
assorted corporate windbags and too many hack journalists. Outside 
the 
Beltway, it might as well be an acronym for "electronic propaganda 
and hype" since no convincing examples of the alleged uber-menace 
from the Net have been seen since a first sighting of the phrase 
in 1993.

Ironically, the utter lack of EPH since 1993 hasn't hindered 
repeated mentions of it in the mainstream press in 1999.
  
Countless stories, among them Clarke's spiel for Signal, have run 
on the subject this year, often seemingly the work of editors and 
reporters ditching critical thinking on the subject in favor of 
acting like children overcome by a joy of believing in scary stories. 

And although there have been many government pointmen called upon 
to carry the water for EPH during the decade, this year's prime 
exponent has been Richard Clarke.

Normally, the Clarke/EPH mantra goes like this: An electronic attack 
on the nation could do any and all of the following -- stop water
from coming out of the taps, turn off the electricity, rob food from
grocery stores, take all of your money from the bank, disconnect
911 service, and completely stymie the most powerful, if 
muscle-bound, military in the history of the planet. 

A secret 1997 Pentagon exercise called "Eligible Receiver" is 
offered as proof that this is possible. Clarke invokes it
for the credulous and it has appeared literally hundreds of times 
in news stories on EPH since 1997. "Eligible Receiver, " depending 
upon where you read about it, consists of this:

Twenty friendly hackers, or 25, or between 30 and 35 
friendly hackers, from -- the Pentagon, the National Security 
Agency, or the Joint Staff, take your pick -- proved they could 
take down the national power grid, take down 911 service nationwide, 
disrupt troop movements, buy laptops, steal laptops, foul up 
the military's command structure in southeast Asia, pose as 
attacking North Koreans, compromise unspecified secret computer 
systems, compromise unspecified public computer systems, and all 
without getting their hair mussed, using off-the-shelf software or 
hacker scripts trolled from the Net.

And you thought we had problems with the Y2K issue...

Details, of course, are secret.

However, despite Pentagon propaganda claims of the amazing 
electronic prowess of the "Eligible Receiver" hackers, 
said hackers appear to have been absent without leave 
or about as effective as the concerted breaking of wind during 
every significant real-world U.S. military engagement in the 
past two years.

Osama Bin Laden? We sent cruise missiles, on the advice of 
our man, Richard Clarke, by the way. Some of them hit the 
wrong target. Saddam Hussein? Judging from empirical evidence, a 
man seemingly impervious to electronic Pearl Harbor. 

Slobodan Milosevic and the Serbian Army? It was "the first cyberwar," 

claimed the Pentagon's John Hamre. Hold it right there, buddy. 
It wasn't Pentagon hacker hocus pocus turning out the lights and 
TV in Belgrade and smashing the bridges over the Danube. Lots of 
cruise missiles, cluster bombs, fancy chaff dispensers and JDAMS 
wrecked things the old-fashioned way.

Having dispensed with the taxpayer-funded myth of "Eligible 
Receiver," the other main proof offered by the Clarke's and EPH 
proponents of the nation is citation after numbing citation, some 
of them apocryphal, of things like the prevalence of computer 
viruses in corporate America or teenagers who enjoy defacing 
government and military websites. 

Consider this: To date there have been no unclassified studies, 
let me repeat that, no unclassified studies, 
that convincingly explain in technically sophisticated and detailed 
examples how precisely, for instance, teenage hackers could
suddenly gain the power to keep bombs from falling on a Belgrade 
or how computer viruses, which have been infecting corporate and 
government systems in good numbers for more than a decade with no
more than annoying results, could suddenly transform into weapons 
of mass destruction capable of turning off the water and power 
nationwide.

So, let's put the whole thing in perspective. Because of a
potential for "electronic Pearl Harbor" and threats
to computer security posed by teenagers and nincompoop virus 
writers, which the military already won't discuss openly 
even under threat of FOIA, it is necessary, says our man Clarke, 
to make FOIA even more toothless.  Now that's a plan!

In the late 1860's, a con man induced a farmer near 
Syracuse, New York, to bury a cheap gypsum statue that had been 
crudely altered to resemble a giant, fossilized man. The statue 
was then "discovered" and proclaimed "the Cardiff giant," the 
scary remains of a specimen of a lost race said to have 
wandered the hills prior to the coming of man.

Although immediately dubbed a fake by a few who smelled a 
rat, there was a great deal of popular acceptance of "the Cardiff 
giant," which spilled over into the news media of the time. 

Andrew D. White, the first president of Cornell University and 
one of the "giant's" earliest skeptics, remarked in his memoirs 
of the affair: "There was evidently a 'joy in believing' in the 
marvel, and this was increased by the peculiarly American 
superstition that the correctness of a belief is decided by the 
number of the people who can be induced to adopt it."

Like "the Cardiff giant," EPH is accompanied by plenty of 
acceptance by the news media and a "joy in believing" 
in the absence of compelling proof. However, the people
of the late 1860's didn't have to endure a Richard Clarke
attempting to tamper with open government under the guise
of protecting them from the damn bogus thing.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

George Smith, Ph.D., is editor of "Crypt Newsletter," you can contact 
him
at:
crypt@....soci.niu.edu.
================================================================

EDITOR'S NOTE:  CyberWire Dispatch, with an Internet circulation 
estimated
at more than 600,000 is now developing plans for a once-a-week e-mail
publication.
Every week, one of five well-known investigative reporters will file 
for
CWD.  If you think your company or organization would be interested 
in more
information about establishing an sponsorship relationship with 
CyberWire
Dispatch, please contact Lewis Z. Koch at lzkoch@....com.

===================

To subscribe to CWD, send a message to:

	Majordomo@...lon.mit.edu

No subject needed.

In the first line of the message put:

	Subscribe CWD

To remove yourself from this list, send a message to:

	Majordomo@...lon.mit.edu

No subject needed.

In the first line of the message put:

	Unsubscribe CWD


------- End of forwarded message -------

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ